Internet Printing and Resulting Internet Communication in Windows Vista

In This Section

Benefits and Purposes of Internet printing

Overview: Using Internet Printing in a Managed Environment

How Internet Printing Communicates with Sites on the Internet

Controlling Internet Printing to Prevent the Flow of Information to and from the Internet

Procedures for Disabling Internet Printing

Benefits and Purposes of Internet printing

Internet printing makes it possible for client computers running Windows Vista to use printers located anywhere in the world by sending print jobs using Hypertext Transfer Protocol (HTTP).

Additionally, computers running Windows Vista can use Microsoft Internet Information Services (IIS) or a Web peer server to create a Web page that provides information about printers and provides the transport for printing over the Internet.

Overview: Using Internet Printing in a Managed Environment

You need to consider both the server and client aspects of Internet printing:

  • Server: It is possible for a person who logs on as the administrator of a computer running Windows Vista to install IIS and then configure that computer to act as a print server, allowing Internet printing. In a managed environment, you may want to prevent users from logging on as administrators so they cannot install IIS.

Important

For remote management of a print server that is running Windows Vista, we recommend that you use interfaces such as the Print Management snap-in, Remote Desktop, or command-line tools. This carries a lower security risk than installing IIS and Internet Printing on a computer that is used as a print server and not as a Web server.

  • Client: Client computers can install an Internet printer using a Web browser, the Add Printer Wizard, or the Run dialog box. To prevent Internet printing, you must remove the ability for users to add an Internet printer.

Details on how to configure your Windows Vista implementation to achieve these goals can be found later in this section.

How Internet Printing Communicates with Sites on the Internet

The Internet printing process is as follows:

  1. A user connects to a print server over the Internet by typing the URL for the print device.

  2. The HTTP request is sent over the Internet to the print server.

  3. The print server requires the client to provide authentication information. This ensures that only authorized users print documents on the print server.

  4. After the server authenticates the user, the server presents status information to the user by using Active Server Pages (ASP), which contain information about currently available printers.

  5. When the user connects to any of the printers on the Internet printing Web page, the Windows Vista client first tries to find a driver for the printer locally. If an appropriate driver cannot be found, the print server generates a cabinet file (.cab file, also known as a setup file) that contains the appropriate printer driver files. The print server downloads the .cab file to the client computer. The user on the client computer is prompted for permission to download the .cab file.

    The client computer downloads printer drivers and connects to the printer using either Internet Printing Protocol (IPP) or a remote procedure call (RPC), depending on the security zone that the printer share is in. The security zone is configured on the client computer through Internet Options in Control Panel. With a Medium-high or Medium security zone, IPP is used, and with a Medium-low security zone, RPC is used.

  6. After users connect to an Internet printer, they can send documents to the print server.

Communication for Internet printing uses IPP or RPC with HTTP (or HTTPS) over any port that the print server has configured for this service. Because the service is using HTTP or HTTPS, this is typically port 80 or port 443. Because Internet printing does support HTTPS traffic, communication can be encrypted, depending on the user’s Internet browser settings.

Client computers running Windows Vista can use Internet printing by default. Users must be authenticated by the print server, however, before they can use any of the printers connected to that server. If you install IIS on Windows Vista (which requires being logged on as an administrator), Internet printing is automatically enabled as a feature of IIS. As described earlier, you can disable or restrict computers running Windows Vista from hosting Internet printing in several ways. See the following subsection for additional details.

The print server can use IIS and other technologies to collect and log extensive data about the user, the computer that sends the printing request, and the request itself. It is beyond the scope of this white paper to describe Web site operations and the specifics of what type of information can be collected. For more information about IIS, see the resources listed in Internet Information Services and Resulting Internet Communication in Windows Vista in this white paper.

Controlling Internet Printing to Prevent the Flow of Information to and from the Internet

Client Computers

To prevent the use of Internet printing from a client computer running Windows Vista, you can use Control Panel or configure Group Policy.

Only a person logged on as an administrator on a computer running Windows Vista can install IIS and configure that computer to act as a print server. To control this, you can:

  • Prevent users from logging on as administrators, which prevents them from installing IIS (recommended).

  • Restrict access to the printer to limited user IDs.

Procedures for Controlling Internet Printing

The following procedures explain how to:

  • Disable Internet printing on a client computer running Windows Vista by using Control Panel.

  • Disable Internet printing on computers running Windows Vista by using Group Policy.

  • Prevent the downloading of print drivers over HTTP by using Group Policy.

    During the process of Internet printing, print drivers might be downloaded to a client, as described in “How Internet Printing Communicates with Sites on the Internet,” earlier in this section. You can prevent this type of print driver download by using Group Policy.

To Disable Internet Printing on a Computer Running Windows Vista by Using Control Panel

  1. Click Start, and then either click Control Panel or point to Settings and then click Control Panel.

  2. Either click Programs and then click Programs and Features or double-click Programs and Features.

  3. On the left, click Turn Windows features on or off.

  4. Under Print Services, make sure the check box for Internet Printing Client is cleared.

To Disable Internet Printing on a Computer Running Windows Vista by Using Group Policy

  1. As needed, see Appendix B: Resources for Learning About Group Policy for Windows Vista, and then edit an appropriate Group Policy object (GPO).

  2. If you want the policy setting to apply to all users of a computer and to come into effect when the computer starts or when Group Policy is refreshed, expand Computer Configuration. If you want the policy setting to apply to users and to come into effect when users log on or when Group Policy is refreshed, expand User Configuration.

  3. Expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication settings.

  4. In the details pane, double-click Turn off printing over HTTP, and then click Enabled.

Important

You can also restrict Internet access for this and a number of other features by applying the Restrict Internet communication policy setting, which is located in Computer Configuration\Administrative Templates\System\Internet Communication Management or in User Configuration\Administrative Templates\System\Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C: Group Policy Settings Listed Under the Internet Communication Management Category in Windows Vista.

To Prevent the Downloading of Print Drivers over HTTP to Computers Running Windows Vista by Using Group Policy

  1. As needed, see Appendix B: Resources for Learning About Group Policy for Windows Vista, and then edit an appropriate GPO.

  2. If you want the policy setting to apply to all users of a computer and to come into effect when the computer starts or when Group Policy is refreshed, expand Computer Configuration. If you want the policy setting to apply to users and to come into effect when users log on or when Group Policy is refreshed, expand User Configuration.

  3. Expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication settings.

  4. In the details pane, double-click Turn off downloading of print drivers over HTTP, and then click Enabled.

Important

You can also restrict Internet access for this and a number of other features by applying the Restrict Internet communication policy setting, which is located in Computer Configuration\Administrative Templates\System\Internet Communication Management or in User Configuration\Administrative Templates\System\Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C: Group Policy Settings Listed Under the Internet Communication Management Category in Windows Vista.

Additional References